isJWT does not check whether the decoded sections are valid JSON

[lvoz2]

Describe the bug
A clear and concise description of what the bug is.
If you give any string that has 2 or 3 parts, separated by dots (.), where each part is valid Base64, isJWT will return true, even if when the Base64 is decoded, the result is not valid JSON.

Examples
If applicable, add screenshots to help explain your problem.
isJWT("foo.bar.<signature_here>") -> true, even though "foo", which is valid Base64 encoded text, is not valid JSON, and so creates an invalid JWT.

Reproductions
If applicable, provide a reproduction on platforms like runkit

import validator from "validator";

console.log("foo.bar.", validator.isJWT("foo.bar.")); // true
console.log(".babelrc.cjs", validator.isJWT(".babelrc.cjs")); // true
console.log("..", validator.isJWT("..")); // true
console.log(".t.", validator.isJWT(".t.")); // true

Additional context
Validator.js version: 13.12.0
Node.js version: 23.5.0
OS platform: [windows, linux, macOS, etc] linux

[pano9000]

thanks for reporting.
looking at the code of isJWT,js, yes that is currently what the code will do unfortunately, so it isn't really a useful validator IMHO :-(
It seems like JWT is even a bit more strict than being "just" valid JSON, so the validation here would need to be expanded even a bit more.
https://datatracker.ietf.org/doc/html/rfc7519

I'll check and see if I can do anything here in the first week of January

[lvoz2]

I did have a small crack at doing this myself, but in doing so, I noticed that isBase64 skips a lot of the validation checks when urlSafe is true, causing some strings to succeed this validator even if not actual Base64, according to the spec: https://datatracker.ietf.org/doc/html/rfc4648